Hello community, here is the log from the commit of package pam for openSUSE:Factory checked in at 2013-11-12 16:36:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam (Old) and /work/SRC/openSUSE:Factory/.pam.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam" Changes: -------- --- /work/SRC/openSUSE:Factory/pam/pam.changes 2013-09-29 17:50:46.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.pam.new/pam.changes 2013-11-12 16:36:45.000000000 +0100 @@ -1,0 +2,14 @@ +Tue Nov 12 13:08:44 CET 2013 - ku...@suse.de + +- Add encryption_method_nis.diff: + - implement pam_unix2 functionality to use another hash for + NIS passwords. + +------------------------------------------------------------------- +Fri Nov 8 16:01:35 CET 2013 - ku...@suse.de + +- Add pam_unix.diff: + - fix if /etc/login.defs uses DES + - ask always for old password if a NIS password will be changed + +------------------------------------------------------------------- New: ---- encryption_method_nis.diff pam_unix.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam.spec ++++++ --- /var/tmp/diff_new_pack.MemVTR/_old 2013-11-12 16:36:46.000000000 +0100 +++ /var/tmp/diff_new_pack.MemVTR/_new 2013-11-12 16:36:46.000000000 +0100 @@ -53,6 +53,8 @@ Source8: etc.environment Source9: baselibs.conf Patch0: fix-man-links.dif +Patch1: pam_unix.diff +Patch2: encryption_method_nis.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -97,6 +99,8 @@ %prep %setup -q -n Linux-PAM-%{version} -b 1 %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build export CFLAGS="%optflags -DNDEBUG" ++++++ encryption_method_nis.diff ++++++ diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 0cfc0f4..2239206 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -796,6 +796,29 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) * rebuild the password database file. */ + + /* if it is a NIS account, check for special hash algo */ + if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) { + /* preset encryption method with value from /etc/login.defs */ + int j; + char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS); + if (val) { + for (j = 0; j < UNIX_CTRLS_; ++j) { + if (unix_args[j].token && unix_args[j].is_hash_algo + && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) { + break; + } + } + if (j >= UNIX_CTRLS_) { + pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val); + } else { + ctrl &= unix_args[j].mask; /* for turning things off */ + ctrl |= unix_args[j].flag; /* for turning things on */ + } + free (val); + } + } + /* * First we encrypt the new password. */ diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 19d72e6..dafa9f0 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -37,8 +37,8 @@ #define SELINUX_ENABLED 0 #endif -static char * -search_key (const char *key, const char *filename) +char * +_unix_search_key (const char *key, const char *filename) { FILE *fp; char *buf = NULL; @@ -159,7 +159,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, } /* preset encryption method with value from /etc/login.defs */ - val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS); + val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS); if (val) { for (j = 0; j < UNIX_CTRLS_; ++j) { if (unix_args[j].token && unix_args[j].is_hash_algo @@ -177,7 +177,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, /* read number of rounds for crypt algo */ if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) { - val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS); + val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS); if (val) { *rounds = strtol(val, NULL, 10); diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h index 6f5b2eb..a35a8a8 100644 --- a/modules/pam_unix/support.h +++ b/modules/pam_unix/support.h @@ -174,4 +174,5 @@ extern int _unix_read_password(pam_handle_t * pamh extern int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user, int *daysleft); +extern char *_unix_search_key(const char *key, const char *filename); #endif /* _PAM_UNIX_SUPPORT_H */ ++++++ pam_unix.diff ++++++ diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h index 6575938..6f5b2eb 100644 --- a/modules/pam_unix/support.h +++ b/modules/pam_unix/support.h @@ -97,8 +97,9 @@ typedef struct { password hash algorithms */ #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */ #define UNIX_MIN_PASS_LEN 27 /* min length for password */ +#define UNIX_DES 28 /* DES, default */ /* -------------- */ -#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */ +#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) @@ -135,6 +136,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = /* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1}, /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, +/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, }; #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 9aae3b0..d5f2540 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -614,7 +614,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) if (_unix_blankpasswd(pamh, ctrl, user)) { return PAM_SUCCESS; - } else if (off(UNIX__IAMROOT, ctrl)) { + } else if (off(UNIX__IAMROOT, ctrl) || + (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) { /* instruct user what is happening */ if (asprintf(&Announce, _("Changing password for %s."), user) < 0) { -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org